I hear the same line at least once a month. It usually comes near the end of a conversation, after I’ve raised the idea of tightening up someone’s security. The owner leans back, gives a little shrug, and says some version of: “Mate, we’re tiny. Why would anyone bother with us?”
I understand the instinct. When you’re running a ten-person business out of a converted warehouse, the idea that someone in another country has you in their sights feels absurd. You’re not a bank. You’re not a government department. You’re just trying to get invoices out and keep the team paid. Surely the criminals are off chasing bigger fish.
That’s exactly the thinking they’re counting on.
Nobody Is Picking You by Name
Here’s the part most owners get wrong. They picture a hacker hunched over a keyboard, deliberately choosing their business out of all the businesses in the world. That’s not how it works. Almost none of it is personal.
Modern attacks are automated. Software quietly scans enormous ranges of the internet, day and night, knocking on every door it can find and noting which ones are unlocked. It doesn’t know you’re a plumbing supplier in Penrith or a three-person design studio. It only knows your front door opened when it shouldn’t have. To that software, “too small to matter” simply doesn’t exist as a category. There’s only “easy” and “hard.”
And small businesses, on the whole, are easy. No dedicated IT person. Passwords reused across half a dozen logins. Multi-factor authentication switched off because it felt like a hassle. That combination is gold to an attacker, because the effort is low and the payoff is real. A single compromised Microsoft 365 account can read every email, reset other passwords, and quietly send invoices with the bank details changed to theirs. You don’t need to be big to be worth a few thousand dollars of someone’s afternoon.
The Invisibility You Feel Is the Vulnerability They Want
The cruel irony is that the very feeling protecting your peace of mind — “we’re invisible, nobody’s looking” — is the thing that leaves you exposed. Because if you believe nobody’s looking, you don’t bother locking up. You stay on the basic plan. You skip the security review. You assume the defaults are fine.
I had a client go through exactly this last year. Small operation, well run, no reason to think they were on anyone’s radar. One staff member clicked a convincing email, typed their password into a fake login page, and that was it. The attacker sat inside the mailbox for the better part of a week — reading, watching, learning the rhythm of how money moved — before redirecting a genuine client payment. The owner’s first words to me were, “I didn’t think we were big enough for this to happen.”
That’s the trap, summed up in one sentence. Feeling small doesn’t make you safe. It just makes you slow to defend yourself.
The Good News: The Locks Are Already in the Building
Here’s what I tell people, and it’s the part worth holding on to. You don’t need an enterprise budget to stop the overwhelming majority of this. The tools are very likely sitting in the Microsoft 365 subscription you already pay for.
Turn on multi-factor authentication for every account — it’s the single biggest difference you can make, and it blocks the password-stealing attack I just described almost entirely. Switch on the security defaults in Microsoft Entra so the obvious gaps close themselves. Let Microsoft Defender do what it’s built to do: catch dodgy attachments and links before a tired staff member clicks them at 4pm on a Friday.
You can even put Copilot to work here. Ask it in plain English to summarise the recent sign-in activity across your tenant, or to walk you through what your current security settings actually mean. I’ve watched owners who’d never open an admin console suddenly understand their own exposure because Copilot explained it in language that made sense to them, sitting right there in their browser.
None of this is glamorous. None of it makes for an exciting Monday. But it’s the difference between being a hard door and an easy one — and easy is the only thing the software scanning the internet actually cares about.
So drop the idea that you’re too small to bother with. You’re not invisible. You’re convenient. The sooner you stop feeling safe and start being protected, the less interesting you become to the only audience that matters here — and that’s a very good place for a small business to sit.
CIAOPS 